diff --git a/content/guides/admin-user-management/onboard.md b/content/guides/admin-user-management/onboard.md
index 93d11490bc7b..27b804cec585 100644
--- a/content/guides/admin-user-management/onboard.md
+++ b/content/guides/admin-user-management/onboard.md
@@ -67,4 +67,4 @@ It also:
 - Ensures consistent access control policies.
 - Help you scale permissions as teams grow or change.
 
-For more information on how it works, see [Group mapping](/manuals/enterprise/security/provisioning/group-mapping.md).
+For more information on how it works, see [Group mapping](/enterprise/security/provisioning/scim/group-mapping).
diff --git a/content/manuals/admin/organization/_index.md b/content/manuals/admin/organization/_index.md
index ec1d2bc1b07f..fcf47cfc0b91 100644
--- a/content/manuals/admin/organization/_index.md
+++ b/content/manuals/admin/organization/_index.md
@@ -31,13 +31,11 @@ grid:
   link: /admin/organization/general-settings/
 - title: SSO and SCIM
   description: 'Set up [Single Sign-On](/security/for-admins/single-sign-on/)
-    and [SCIM](/security/for-admins/provisioning/scim/) for your organization.
-
-    '
+    and [SCIM](/security/for-admins/provisioning/scim/) for your organization.'
   icon: key
 - title: Domain management
   description: Add, verify, and audit your domains.
-  link: /security/for-admins/domain-management/
+  link: /enterprise/security/provisioning/domain-management/
   icon: domain_verification
 - title: FAQs
   description: Explore common organization FAQs.
diff --git a/content/manuals/admin/organization/general-settings.md b/content/manuals/admin/organization/general-settings.md
index 4387e4ec4d9f..74d6abe3ec21 100644
--- a/content/manuals/admin/organization/general-settings.md
+++ b/content/manuals/admin/organization/general-settings.md
@@ -31,5 +31,5 @@ After configuring your organization information, you can:
 
 - [Configure single sign-on (SSO)](/manuals/enterprise/security/single-sign-on/connect.md)
 - [Set up SCIM provisioning](/manuals/enterprise/security/provisioning/scim.md)
-- [Manage domains](/manuals/enterprise/security/domain-management.md)
+- [Manage domains](/enterprise/security/provisioning/domain-management)
 - [Create a company](/manuals/admin/company/new-company.md)
diff --git a/content/manuals/admin/organization/onboard.md b/content/manuals/admin/organization/onboard.md
index 2c206bf5b6ca..289abd179efd 100644
--- a/content/manuals/admin/organization/onboard.md
+++ b/content/manuals/admin/organization/onboard.md
@@ -169,7 +169,7 @@ security posture:
 
 - [Manage Docker products](./manage-products.md) to configure access and view usage.
 - Configure [Hardened Docker Desktop](/desktop/hardened-desktop/) to improve your organization’s security posture for containerized development.
-- [Manage your domains](/manuals/enterprise/security/domain-management.md) to ensure that all Docker users in your domain are part of your organization.
+- [Manage your domains](/enterprise/security/provisioning/domain-management) to ensure that all Docker users in your domain are part of your organization.
 
 Your Docker subscription provides many more additional features. To learn more,
 see [Docker subscriptions and features](https://www.docker.com/pricing?ref=Docs&refAction=DocsAdminOnboard).
diff --git a/content/manuals/enterprise/security/_index.md b/content/manuals/enterprise/security/_index.md
index 800adb38e106..458cc6b2dfee 100644
--- a/content/manuals/enterprise/security/_index.md
+++ b/content/manuals/enterprise/security/_index.md
@@ -34,7 +34,7 @@ grid_admins:
   icon: passkey
 - title: Domain management
   description: Identify uncaptured users in your organization.
-  link: /enterprise/security/domain-management/
+  link: /enterprise/security/provisioning/domain-management/
   icon: person_search
 - title: Docker Scout
   description: Explore how Docker Scout can help you create a more secure software supply chain.
diff --git a/content/manuals/enterprise/security/hardened-desktop/settings-management/_index.md b/content/manuals/enterprise/security/hardened-desktop/settings-management/_index.md
index 71bcb57f3408..14918a3be230 100644
--- a/content/manuals/enterprise/security/hardened-desktop/settings-management/_index.md
+++ b/content/manuals/enterprise/security/hardened-desktop/settings-management/_index.md
@@ -62,7 +62,7 @@ When multiple policies exist, Docker Desktop applies them in this order:
 
 You can create settings management policies at any time, but your organization needs to verify a domain before the policies take effect. 
 
-1. Check that you have [added and verified](/manuals/enterprise/security/domain-management.md#add-and-verify-a-domain) your organization's domain.
+1. Check that you have [added and verified](/enterprise/security/provisioning/domain-management/#add-and-verify-a-domain) your organization's domain.
 2. [Enforce sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md) to
 ensure all developers authenticate with your organization.
 3. Choose a configuration method:
diff --git a/content/manuals/enterprise/security/provisioning/_index.md b/content/manuals/enterprise/security/provisioning/_index.md
index fb5f329b931a..b7efa9039a8e 100644
--- a/content/manuals/enterprise/security/provisioning/_index.md
+++ b/content/manuals/enterprise/security/provisioning/_index.md
@@ -18,7 +18,7 @@ grid:
   - title: "Group mapping"
     description: "Configure role-based access control using IdP groups. Perfect for strict access control requirements."
     icon: "group"
-    link: "group-mapping/"
+    link: "scim/group-mapping/"
 ---
 
 {{< summary-bar feature_name="SSO" >}}
diff --git a/content/manuals/enterprise/security/provisioning/auto-provisioning.md b/content/manuals/enterprise/security/provisioning/auto-provisioning.md
new file mode 100644
index 000000000000..9e9155906d82
--- /dev/null
+++ b/content/manuals/enterprise/security/provisioning/auto-provisioning.md
@@ -0,0 +1,53 @@
+---
+title: Auto-provisioning
+linkTitle: Auto-provisioning
+description: Learn how Just-in-Time provisioning works with your SSO connection.
+keywords: user provisioning, just-in-time provisioning, JIT, autoprovision, Docker Admin, admin, security
+weight: 10
+aliases:
+ - /security/for-admins/provisioning/just-in-time/
+---
+
+Auto-provisioning automatically adds users to your organization when they sign in with email addresses that match your verified domains. You must verify a domain before enabling auto-provisioning.
+
+> [!IMPORTANT]
+>
+> For domains that are part of an SSO connection, Just-in-Time (JIT) provisioning takes precedence over auto-provisioning when adding users to an organization.
+
+### Overview
+
+When auto-provisioning is enabled for a verified domain:
+
+- Users who sign in to Docker with matching email addresses are automatically added to your organization.
+- Auto-provisioning only adds existing Docker users to your organization, it doesn't create new accounts.
+- Users experience no changes to their sign-in process.
+- Company and organization owners receive email notifications when new users are added.
+- You may need to [manage seats](/manuals/subscription/manage-seats.md) to accommodate new users.
+
+### Enable auto-provisioning
+
+Auto-provisioning is configured per domain. To enable it:
+
+1. Sign in to [Docker Home](https://app.docker.com) and select
+your company or organization.
+1. Select **Admin Console**, then **Domain management**.
+1. Select the **Actions menu** next to the domain you want to enable
+auto-provisioning for.
+1. Select **Enable auto-provisioning**.
+1. Optional. If enabling auto-provisioning at the company level, select an
+organization.
+1. Select **Enable** to confirm.
+
+The **Auto-provisioning** column will update to **Enabled** for the domain.
+
+### Disable auto-provisioning
+
+To disable auto-provisioning for a user:
+
+1. Sign in to [Docker Home](https://app.docker.com) and select
+your organization. If your organization is part of a company, select the company
+and configure the domain for the organization at the company level.
+1. Select **Admin Console**, then **Domain management**.
+1. Select the **Actions menu** next to your domain.
+1. Select **Disable auto-provisioning**.
+1. Select **Disable** to confirm.
diff --git a/content/manuals/enterprise/security/domain-management.md b/content/manuals/enterprise/security/provisioning/domain-management.md
similarity index 73%
rename from content/manuals/enterprise/security/domain-management.md
rename to content/manuals/enterprise/security/provisioning/domain-management.md
index de471bce6807..d0bff9359276 100644
--- a/content/manuals/enterprise/security/domain-management.md
+++ b/content/manuals/enterprise/security/provisioning/domain-management.md
@@ -1,8 +1,8 @@
 ---
-title: Manage domains
+title: Add and manage domains
 description: Add, verify, and manage domains to control user access and enable auto-provisioning in Docker organizations
 keywords: domain management, domain verification, auto-provisioning, user management, DNS, TXT record, Admin Console
-weight: 55
+weight: 40
 aliases:
  - /security/for-admins/domain-management/
  - /docker-hub/domain-audit/
@@ -79,56 +79,8 @@ your domain name.
 {{< /tab >}}
 {{< /tabs >}}
 
-## Configure auto-provisioning
-
-Auto-provisioning automatically adds users to your organization when they sign in with email addresses that match your verified domains. You must verify a domain before enabling auto-provisioning.
-
-> [!IMPORTANT]
->
-> For domains that are part of an SSO connection, Just-in-Time (JIT) provisioning takes precedence over auto-provisioning when adding users to an organization.
-
-### How auto-provisioning works
-
-When auto-provisioning is enabled for a verified domain:
-
-- Users who sign in to Docker with matching email addresses are automatically added to your organization.
-- Auto-provisioning only adds existing Docker users to your organization, it doesn't create new accounts.
-- Users experience no changes to their sign-in process.
-- Company and organization owners receive email notifications when new users are added.
-- You may need to [manage seats](/manuals/subscription/manage-seats.md) to accommodate new users.
-
-### Enable auto-provisioning
-
-Auto-provisioning is configured per domain. To enable it:
-
-1. Sign in to [Docker Home](https://app.docker.com) and select
-your company or organization.
-1. Select **Admin Console**, then **Domain management**.
-1. Select the **Actions menu** next to the domain you want to enable
-auto-provisioning for.
-1. Select **Enable auto-provisioning**.
-1. Optional. If enabling auto-provisioning at the company level, select an
-organization.
-1. Select **Enable** to confirm.
-
-The **Auto-provisioning** column will update to **Enabled** for the domain.
-
-### Disable auto-provisioning
-
-To disable auto-provisioning for a user:
-
-1. Sign in to [Docker Home](https://app.docker.com) and select
-your organization. If your organization is part of a company, select the company
-and configure the domain for the organization at the company level.
-1. Select **Admin Console**, then **Domain management**.
-1. Select the **Actions menu** next to your domain.
-1. Select **Disable auto-provisioning**.
-1. Select **Disable** to confirm.
-
 ## Audit domains for uncaptured users
 
-{{< summary-bar feature_name="Domain audit" >}}
-
 Domain audit identifies uncaptured users. Uncaptured users are Docker users who have authenticated using an email address associated with your verified domains but aren't members of your Docker organization.
 
 ### Limitations
diff --git a/content/manuals/enterprise/security/provisioning/just-in-time.md b/content/manuals/enterprise/security/provisioning/just-in-time.md
index d03204bccf99..8d857666120b 100644
--- a/content/manuals/enterprise/security/provisioning/just-in-time.md
+++ b/content/manuals/enterprise/security/provisioning/just-in-time.md
@@ -3,7 +3,7 @@ description: Learn how Just-in-Time provisioning works with your SSO connection.
 keywords: user provisioning, just-in-time provisioning, JIT, autoprovision, Docker Admin, admin, security
 title: Just-in-Time provisioning
 linkTitle: Just-in-Time
-weight: 10
+weight: 30
 aliases:
  - /security/for-admins/provisioning/just-in-time/
 ---
@@ -84,6 +84,6 @@ Users are provisioned with JIT by default. If you enable SCIM, you can disable J
 
 ## Next steps
 
-- Configure [SCIM provisioning](/manuals/enterprise/security/provisioning/scim.md) for advanced user management.
-- Set up [group mapping](/manuals/enterprise/security/provisioning/group-mapping.md) to automatically assign users to teams.
-- Review [Troubleshoot provisioning](/manuals/enterprise/troubleshoot/troubleshoot-provisioning.md).
+- Configure [SCIM provisioning](/enterprise/security/provisioning/scim/) for advanced user management.
+- Set up [group mapping](/enterprise/security/provisioning/scim/group-mapping) to automatically assign users to teams.
+- Review [Troubleshoot provisioning](/enterprise/security/provisioning/troubleshoot-provisioning/).
diff --git a/content/manuals/enterprise/security/provisioning/scim/_index.md b/content/manuals/enterprise/security/provisioning/scim/_index.md
new file mode 100644
index 000000000000..4359b583240c
--- /dev/null
+++ b/content/manuals/enterprise/security/provisioning/scim/_index.md
@@ -0,0 +1,59 @@
+---
+title: SCIM overview
+linkTitle: SCIM
+weight: 20
+description: Learn how System for Cross-domain Identity Management works and how to set it up.
+keywords: SCIM, SSO, user provisioning, de-provisioning, role mapping, assign users
+aliases:
+  - /security/for-admins/scim/
+  - /docker-hub/scim/
+  - /security/for-admins/provisioning/scim/
+---
+
+{{< summary-bar feature_name="SSO" >}}
+
+Automate user management for your Docker organization using System for
+Cross-domain Identity Management (SCIM). SCIM automatically provisions and
+de-provisions users, synchronizes team memberships, and keeps your Docker
+organization in sync with your identity provider.
+
+This page shows you how to automate user provisioning and de-provisioning for
+Docker using SCIM.
+
+## Prerequisites
+
+Before you begin, you must have:
+
+- SSO configured for your organization
+- Administrator access to Docker Home and your identity provider
+
+## How SCIM works
+
+SCIM automates user provisioning and de-provisioning for Docker through your
+identity provider. After you enable SCIM, any user assigned to your
+Docker application in your identity provider is automatically provisioned and
+added to your Docker organization. When a user is removed from the Docker
+application in your identity provider, SCIM deactivates and removes them from
+your Docker organization.
+
+In addition to provisioning and removal, SCIM also syncs profile updates like
+name changes made in your identity provider. You can use SCIM alongside Docker's
+default Just-in-Time (JIT) provisioning or on its own with JIT disabled.
+
+SCIM automates:
+
+- Creating users
+- Updating user profiles
+- Removing and deactivating users
+- Re-activating users
+- Group mapping
+
+> [!NOTE]
+>
+> SCIM only manages users provisioned through your identity provider after
+> SCIM is enabled. It cannot remove users who were manually added to your Docker
+> organization before SCIM was set up.
+>
+> To remove those users, delete them manually from your Docker organization.
+> For more information, see
+> [Manage organization members](/manuals/admin/organization/members.md).
diff --git a/content/manuals/enterprise/security/provisioning/group-mapping.md b/content/manuals/enterprise/security/provisioning/scim/group-mapping.md
similarity index 95%
rename from content/manuals/enterprise/security/provisioning/group-mapping.md
rename to content/manuals/enterprise/security/provisioning/scim/group-mapping.md
index 4e47b0d617e0..3b607cb133e0 100644
--- a/content/manuals/enterprise/security/provisioning/group-mapping.md
+++ b/content/manuals/enterprise/security/provisioning/scim/group-mapping.md
@@ -7,8 +7,8 @@ aliases:
 - /admin/organization/security-settings/group-mapping/
 - /docker-hub/group-mapping/
 - /security/for-admins/group-mapping/
-- /security/for-admins/provisioning/group-mapping/
-weight: 30
+- /security/for-admins/provisioning/scim/group-mapping/
+weight: 20
 ---
 
 {{< summary-bar feature_name="SSO" >}}
@@ -19,7 +19,7 @@ This page explains how group mapping works, and how to set up group mapping.
 
 > [!TIP]
 >
-> Group mapping is ideal for adding users to multiple organizations or multiple teams within one organization. If you don't need to set up multi-organization or multi-team assignment, SCIM [user-level attributes](scim.md#set-up-role-mapping) may be a better fit for your needs.
+> Group mapping is ideal for adding users to multiple organizations or multiple teams within one organization. If you don't need to set up multi-organization or multi-team assignment, SCIM [user-level attributes](provision-scim.md#set-up-role-mapping) may be a better fit for your needs.
 
 ## Prerequisites
 
@@ -125,7 +125,7 @@ The next time you sync your groups with Docker, your users will map to the Docke
 
 ## Configure group mapping with SCIM
 
-Use group mapping with SCIM for more advanced user lifecycle management. Before you begin, make sure you [set up SCIM](./scim.md#enable-scim) first.
+Use group mapping with SCIM for more advanced user lifecycle management. Before you begin, make sure you [set up SCIM](./provision-scim.md#enable-scim) first.
 
 {{< tabs >}}
 {{< tab name="Okta" >}}
@@ -190,4 +190,4 @@ Once complete, a user who signs in to Docker through SSO is automatically added
 
 > [!TIP]
 >
-> [Enable SCIM](scim.md) to take advantage of automatic user provisioning and de-provisioning. If you don't enable SCIM users are only automatically provisioned. You have to de-provision them manually.
+> [Enable SCIM](provision-scim.md) to take advantage of automatic user provisioning and de-provisioning. If you don't enable SCIM users are only automatically provisioned. You have to de-provision them manually.
diff --git a/content/manuals/enterprise/security/provisioning/scim/migrate-scim.md b/content/manuals/enterprise/security/provisioning/scim/migrate-scim.md
new file mode 100644
index 000000000000..55aeb29a4c5c
--- /dev/null
+++ b/content/manuals/enterprise/security/provisioning/scim/migrate-scim.md
@@ -0,0 +1,176 @@
+---
+title: Migrate JIT to SCIM
+linkTitle: Migrate
+description: Learn how to migrate from just-in-time (JIT) to SCIM.
+weight: 30
+---
+
+## Migrate existing JIT users to SCIM
+
+If you already have users provisioned through Just-in-Time (JIT) and want to
+enable full SCIM lifecycle management, you need to migrate them. Users
+originally created by JIT cannot be automatically de-provisioned through SCIM,
+even after SCIM is enabled.
+
+### Why migrate
+
+Organizations using JIT provisioning may encounter limitations with user
+lifecycle management, particularly around de-provisioning. Migrating to SCIM
+provides:
+
+- Automatic user de-provisioning when users leave your organization. This is
+  the primary benefit for large organizations that need full automation.
+- Continuous synchronization of user attributes
+- Centralized user management through your identity provider
+- Enhanced security through automated access control
+
+> [!IMPORTANT]
+>
+> Users originally created through JIT provisioning cannot be automatically
+> de-provisioned by SCIM, even after SCIM is enabled. To enable full lifecycle
+> management including automatic de-provisioning through your identity provider,
+> you must manually remove these users so SCIM can re-create them with proper
+> lifecycle management capabilities.
+
+This migration is most critical for larger organizations that require fully
+automated user de-provisioning when employees leave the company.
+
+### Prerequisites for migration
+
+Before migrating, ensure you have:
+
+- SCIM configured and tested in your organization
+- A maintenance window for the migration
+
+> [!WARNING]
+>
+> This migration temporarily disrupts user access. Plan to perform this
+> migration during a low-usage window and communicate the timeline to affected
+> users.
+
+### Prepare for migration
+
+#### Transfer ownership
+
+Before removing users, ensure that any repositories, teams, or organization
+resources they own are transferred to another administrator or service account.
+When a user is removed from the organization, any resources they own may
+become inaccessible.
+
+1. Review repositories, organization resources, and team ownership for affected
+   users.
+2. Transfer ownership to another administrator.
+
+> [!WARNING]
+>
+> If ownership is not transferred, repositories owned by removed users may
+> become inaccessible when the user is removed. Ensure all critical resources
+> are transferred before proceeding.
+
+#### Verify identity provider configuration
+
+1. Confirm all JIT-provisioned users are assigned to the Docker application in
+   your identity provider.
+2. Verify identity provider group to Docker team mappings are configured and
+   tested.
+
+Users not assigned to the Docker application in your identity provider are not
+re-created by SCIM after removal.
+
+#### Export user records
+
+Export a list of JIT-provisioned users from Docker Admin Console:
+
+1. Sign in to [Docker Home](https://app.docker.com) and select your
+   organization.
+2. Select **Admin Console**, then **Members**.
+3. Select **Export members** to download the member list as CSV for backup and
+   reference.
+
+Keep this CSV list of JIT-provisioned users as a rollback reference if needed.
+
+### Complete the migration
+
+#### Disable JIT provisioning
+
+> [!IMPORTANT]
+>
+> Before disabling JIT, ensure SCIM is fully configured and tested in your
+> organization. Do not disable JIT until you have verified SCIM is working
+> correctly.
+
+1. Sign in to [Docker Home](https://app.docker.com) and select your organization.
+2. Select **Admin Console**, then **SSO and SCIM**.
+3. In the SSO connections table, select the **Actions** menu for your connection.
+4. Select **Disable JIT provisioning**.
+5. Select **Disable** to confirm.
+
+Disabling JIT prevents new users from being automatically added through SSO
+during the migration.
+
+#### Remove JIT-origin users
+
+> [!IMPORTANT]
+>
+> Users originally created through JIT provisioning cannot be automatically
+> de-provisioned by SCIM, even after SCIM is enabled. To enable full lifecycle
+> management including automatic de-provisioning through your identity provider,
+> you must manually remove these users so SCIM can re-create them with proper
+> lifecycle management capabilities.
+
+This step is most critical for large organizations that require fully automated
+user de-provisioning when employees leave the company.
+
+1. Sign in to [Docker Home](https://app.docker.com) and select your organization.
+2. Select **Admin Console**, then **Members**.
+3. Identify and remove JIT-provisioned users in manageable batches.
+4. Monitor for any errors during removal.
+
+> [!TIP]
+>
+> To efficiently identify JIT users, compare the member list exported before
+> SCIM was enabled with the current member list. Users who existed before SCIM
+> was enabled were likely provisioned via JIT.
+
+#### Verify SCIM re-provisioning
+
+After removing JIT users, SCIM automatically re-creates user accounts:
+
+1. In your identity provider system log, confirm "create app user" events for
+   Docker.
+2. In Docker Admin Console, confirm users reappear with SCIM provisioning.
+3. Verify users are added to the correct teams via group mapping.
+
+#### Validate user access
+
+Perform post-migration validation:
+
+1. Select a subset of migrated users to test sign-in and access.
+2. Verify team membership matches identity provider group assignments.
+3. Confirm repository access is restored.
+4. Test that de-provisioning works correctly by removing a test user from your
+   identity provider.
+
+Keep audit exports and logs for compliance purposes.
+
+### Migration results
+
+After completing the migration:
+
+- All users in your organization are SCIM-provisioned
+- User de-provisioning works reliably through your identity provider
+- No new JIT users are created
+- Consistent identity lifecycle management is maintained
+
+### Troubleshoot migration issues
+
+If a user fails to reappear after removal:
+
+1. Check that the user is assigned to the Docker application in your identity
+   provider.
+2. Verify SCIM is enabled in both Docker and your identity provider.
+3. Trigger a manual SCIM sync in your identity provider.
+4. Check provisioning logs in your identity provider for errors.
+
+For more troubleshooting guidance, see
+[Troubleshoot provisioning](/enterprise/security/provisioning/troubleshoot-provisioning/).
\ No newline at end of file
diff --git a/content/manuals/enterprise/security/provisioning/scim.md b/content/manuals/enterprise/security/provisioning/scim/provision-scim.md
similarity index 64%
rename from content/manuals/enterprise/security/provisioning/scim.md
rename to content/manuals/enterprise/security/provisioning/scim/provision-scim.md
index 390953c9fa84..e1a82f1a06c7 100644
--- a/content/manuals/enterprise/security/provisioning/scim.md
+++ b/content/manuals/enterprise/security/provisioning/scim/provision-scim.md
@@ -1,63 +1,12 @@
 ---
-title: SCIM provisioning
-linkTitle: SCIM
+title: Set up SCIM provisioning
+linkTitle: Set up
 description: Learn how System for Cross-domain Identity Management works and how to set it up.
-keywords: SCIM, SSO, user provisioning, de-provisioning, role mapping, assign users
-aliases:
-  - /security/for-admins/scim/
-  - /docker-hub/scim/
-  - /security/for-admins/provisioning/scim/
-weight: 20
+weight: 10
 ---
 
 {{< summary-bar feature_name="SSO" >}}
 
-Automate user management for your Docker organization using System for
-Cross-domain Identity Management (SCIM). SCIM automatically provisions and
-de-provisions users, synchronizes team memberships, and keeps your Docker
-organization in sync with your identity provider.
-
-This page shows you how to automate user provisioning and de-provisioning for
-Docker using SCIM.
-
-## Prerequisites
-
-Before you begin, you must have:
-
-- SSO configured for your organization
-- Administrator access to Docker Home and your identity provider
-
-## How SCIM works
-
-SCIM automates user provisioning and de-provisioning for Docker through your
-identity provider. After you enable SCIM, any user assigned to your
-Docker application in your identity provider is automatically provisioned and
-added to your Docker organization. When a user is removed from the Docker
-application in your identity provider, SCIM deactivates and removes them from
-your Docker organization.
-
-In addition to provisioning and removal, SCIM also syncs profile updates like
-name changes made in your identity provider. You can use SCIM alongside Docker's
-default Just-in-Time (JIT) provisioning or on its own with JIT disabled.
-
-SCIM automates:
-
-- Creating users
-- Updating user profiles
-- Removing and deactivating users
-- Re-activating users
-- Group mapping
-
-> [!NOTE]
->
-> SCIM only manages users provisioned through your identity provider after
-> SCIM is enabled. It cannot remove users who were manually added to your Docker
-> organization before SCIM was set up.
->
-> To remove those users, delete them manually from your Docker organization.
-> For more information, see
-> [Manage organization members](/manuals/admin/organization/members.md).
-
 ## Supported attributes
 
 SCIM uses attributes (name, email, etc.) to sync user information between your
@@ -201,7 +150,7 @@ Next, [set up role mapping](#set-up-role-mapping).
 
 ## Set up role mapping
 
-You can assign [Docker roles](../roles-and-permissions.md) to
+You can assign [Docker roles](/enterprise/security/roles-and-permissions/) to
 users by adding optional SCIM attributes in your IdP. These attributes override
 default role and team values set in your SSO configuration.
 
@@ -215,7 +164,7 @@ The following table lists the supported optional user-level attributes:
 
 | Attribute    | Possible values                          | Notes                                                                                                                                                                                                                                                            |
 | ------------ | ---------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `dockerRole` | `member`, `editor`, or `owner`           | If not set, the user defaults to the `member` role. Setting this attribute overrides the default.<br><br>For role definitions, see [Roles and permissions](../roles-and-permissions.md).                                                                         |
+| `dockerRole` | `member`, `editor`, or `owner`           | If not set, the user defaults to the `member` role. Setting this attribute overrides the default.<br><br>For role definitions, see [Roles and permissions](/enterprise/security/roles-and-permissions/).                                                                         |
 | `dockerOrg`  | Docker `organizationName` (e.g., `moby`) | Overrides the default organization configured in your SSO connection.<br><br>If unset, the user is provisioned to the default organization. If `dockerOrg` and `dockerTeam` are both set, the user is provisioned to the team within the specified organization. |
 | `dockerTeam` | Docker `teamName` (e.g., `developers`)   | Provisions the user to the specified team in the default or specified organization. If the team doesn't exist, it is automatically created.<br><br>You can still use [group mapping](group-mapping.md) to assign users to multiple teams across organizations.   |
 
@@ -227,7 +176,7 @@ This value is required in your identity provider when creating custom SCIM attri
 
 ### Step one: Set up role mapping in Okta
 
-1. Setup [SSO](../single-sign-on/connect.md) and SCIM first.
+1. Setup [SSO](/enterprise/security/single-sign-on/connect) and SCIM first.
 1. In the Okta admin portal, go to **Directory**, select **Profile Editor**,
    and then **User (Default)**.
 1. Select **Add Attribute** and configure the values for the role, organization,
@@ -403,176 +352,6 @@ After completing role mapping, you can test the configuration manually.
 {{< /tab >}}
 {{< /tabs >}}
 
-## Migrate existing JIT users to SCIM
-
-If you already have users provisioned through Just-in-Time (JIT) and want to
-enable full SCIM lifecycle management, you need to migrate them. Users
-originally created by JIT cannot be automatically de-provisioned through SCIM,
-even after SCIM is enabled.
-
-### Why migrate
-
-Organizations using JIT provisioning may encounter limitations with user
-lifecycle management, particularly around de-provisioning. Migrating to SCIM
-provides:
-
-- Automatic user de-provisioning when users leave your organization. This is
-  the primary benefit for large organizations that need full automation.
-- Continuous synchronization of user attributes
-- Centralized user management through your identity provider
-- Enhanced security through automated access control
-
-> [!IMPORTANT]
->
-> Users originally created through JIT provisioning cannot be automatically
-> de-provisioned by SCIM, even after SCIM is enabled. To enable full lifecycle
-> management including automatic de-provisioning through your identity provider,
-> you must manually remove these users so SCIM can re-create them with proper
-> lifecycle management capabilities.
-
-This migration is most critical for larger organizations that require fully
-automated user de-provisioning when employees leave the company.
-
-### Prerequisites for migration
-
-Before migrating, ensure you have:
-
-- SCIM configured and tested in your organization
-- A maintenance window for the migration
-
-> [!WARNING]
->
-> This migration temporarily disrupts user access. Plan to perform this
-> migration during a low-usage window and communicate the timeline to affected
-> users.
-
-### Prepare for migration
-
-#### Transfer ownership
-
-Before removing users, ensure that any repositories, teams, or organization
-resources they own are transferred to another administrator or service account.
-When a user is removed from the organization, any resources they own may
-become inaccessible.
-
-1. Review repositories, organization resources, and team ownership for affected
-   users.
-2. Transfer ownership to another administrator.
-
-> [!WARNING]
->
-> If ownership is not transferred, repositories owned by removed users may
-> become inaccessible when the user is removed. Ensure all critical resources
-> are transferred before proceeding.
-
-#### Verify identity provider configuration
-
-1. Confirm all JIT-provisioned users are assigned to the Docker application in
-   your identity provider.
-2. Verify identity provider group to Docker team mappings are configured and
-   tested.
-
-Users not assigned to the Docker application in your identity provider are not
-re-created by SCIM after removal.
-
-#### Export user records
-
-Export a list of JIT-provisioned users from Docker Admin Console:
-
-1. Sign in to [Docker Home](https://app.docker.com) and select your
-   organization.
-2. Select **Admin Console**, then **Members**.
-3. Select **Export members** to download the member list as CSV for backup and
-   reference.
-
-Keep this CSV list of JIT-provisioned users as a rollback reference if needed.
-
-### Complete the migration
-
-#### Disable JIT provisioning
-
-> [!IMPORTANT]
->
-> Before disabling JIT, ensure SCIM is fully configured and tested in your
-> organization. Do not disable JIT until you have verified SCIM is working
-> correctly.
-
-1. Sign in to [Docker Home](https://app.docker.com) and select your organization.
-2. Select **Admin Console**, then **SSO and SCIM**.
-3. In the SSO connections table, select the **Actions** menu for your connection.
-4. Select **Disable JIT provisioning**.
-5. Select **Disable** to confirm.
-
-Disabling JIT prevents new users from being automatically added through SSO
-during the migration.
-
-#### Remove JIT-origin users
-
-> [!IMPORTANT]
->
-> Users originally created through JIT provisioning cannot be automatically
-> de-provisioned by SCIM, even after SCIM is enabled. To enable full lifecycle
-> management including automatic de-provisioning through your identity provider,
-> you must manually remove these users so SCIM can re-create them with proper
-> lifecycle management capabilities.
-
-This step is most critical for large organizations that require fully automated
-user de-provisioning when employees leave the company.
-
-1. Sign in to [Docker Home](https://app.docker.com) and select your organization.
-2. Select **Admin Console**, then **Members**.
-3. Identify and remove JIT-provisioned users in manageable batches.
-4. Monitor for any errors during removal.
-
-> [!TIP]
->
-> To efficiently identify JIT users, compare the member list exported before
-> SCIM was enabled with the current member list. Users who existed before SCIM
-> was enabled were likely provisioned via JIT.
-
-#### Verify SCIM re-provisioning
-
-After removing JIT users, SCIM automatically re-creates user accounts:
-
-1. In your identity provider system log, confirm "create app user" events for
-   Docker.
-2. In Docker Admin Console, confirm users reappear with SCIM provisioning.
-3. Verify users are added to the correct teams via group mapping.
-
-#### Validate user access
-
-Perform post-migration validation:
-
-1. Select a subset of migrated users to test sign-in and access.
-2. Verify team membership matches identity provider group assignments.
-3. Confirm repository access is restored.
-4. Test that de-provisioning works correctly by removing a test user from your
-   identity provider.
-
-Keep audit exports and logs for compliance purposes.
-
-### Migration results
-
-After completing the migration:
-
-- All users in your organization are SCIM-provisioned
-- User de-provisioning works reliably through your identity provider
-- No new JIT users are created
-- Consistent identity lifecycle management is maintained
-
-### Troubleshoot migration issues
-
-If a user fails to reappear after removal:
-
-1. Check that the user is assigned to the Docker application in your identity
-   provider.
-2. Verify SCIM is enabled in both Docker and your identity provider.
-3. Trigger a manual SCIM sync in your identity provider.
-4. Check provisioning logs in your identity provider for errors.
-
-For more troubleshooting guidance, see
-[Troubleshoot provisioning](/manuals/enterprise/troubleshoot/troubleshoot-provisioning.md).
-
 ## Disable SCIM
 
 If SCIM is disabled, any user provisioned through SCIM will remain in the
@@ -589,5 +368,5 @@ To disable SCIM:
 
 ## Next steps
 
-- Set up [Group mapping](/manuals/enterprise/security/provisioning/group-mapping.md).
-- [Troubleshoot provisioning](/manuals/enterprise/troubleshoot/troubleshoot-provisioning.md).
+- Set up [Group mapping](/enterprise/security/provisioning/scim/group-mapping/).
+- [Troubleshoot provisioning](/enterprise/security/provisioning/troubleshoot-provisioning/).
diff --git a/content/manuals/enterprise/troubleshoot/troubleshoot-provisioning.md b/content/manuals/enterprise/security/provisioning/troubleshoot-provisioning.md
similarity index 96%
rename from content/manuals/enterprise/troubleshoot/troubleshoot-provisioning.md
rename to content/manuals/enterprise/security/provisioning/troubleshoot-provisioning.md
index 7dbaa148d02d..3f559a25f550 100644
--- a/content/manuals/enterprise/troubleshoot/troubleshoot-provisioning.md
+++ b/content/manuals/enterprise/security/provisioning/troubleshoot-provisioning.md
@@ -1,12 +1,12 @@
 ---
 title: Troubleshoot provisioning
-linkTitle: Troubleshoot provisioning
+linkTitle: Troubleshoot
 description: Troubleshoot common user provisioning issues with SCIM and Just-in-Time provisioning
 keywords: SCIM troubleshooting, user provisioning, JIT provisioning, group mapping, attribute conflicts
 tags: [Troubleshooting]
 toc_max: 2
 aliases:
- - /security/troubleshoot/troubleshoot-provisioning/
+ - /enterprise/security/provisioning/troubleshoot-provisioning/
 ---
 
 This page helps troubleshoot common user provisioning issues including user roles, attributes, and unexpected account behavior with SCIM and Just-in-Time (JIT) provisioning.
diff --git a/content/manuals/enterprise/security/single-sign-on/FAQs/general.md b/content/manuals/enterprise/security/single-sign-on/FAQs/general.md
index 69e660b77c2c..ce25481d4df8 100644
--- a/content/manuals/enterprise/security/single-sign-on/FAQs/general.md
+++ b/content/manuals/enterprise/security/single-sign-on/FAQs/general.md
@@ -3,7 +3,7 @@ description: Frequently asked questions about Docker single sign-on
 keywords: Docker, Docker Hub, SSO FAQs, single sign-on, administration, security
 title: General SSO FAQs
 linkTitle: General
-weight: 10
+weight: 20
 tags: [FAQ]
 aliases:
 - /single-sign-on/faqs/
diff --git a/content/manuals/enterprise/troubleshoot/troubleshoot-sso.md b/content/manuals/enterprise/security/single-sign-on/FAQs/troubleshoot-sso.md
similarity index 99%
rename from content/manuals/enterprise/troubleshoot/troubleshoot-sso.md
rename to content/manuals/enterprise/security/single-sign-on/FAQs/troubleshoot-sso.md
index ce3b554270cd..cc31af30d637 100644
--- a/content/manuals/enterprise/troubleshoot/troubleshoot-sso.md
+++ b/content/manuals/enterprise/security/single-sign-on/FAQs/troubleshoot-sso.md
@@ -1,7 +1,8 @@
 ---
 title: Troubleshoot single sign-on
-linkTitle: Troubleshoot SSO
+linkTitle: Troubleshoot
 description: Troubleshoot common Docker single sign-on configuration and authentication issues
+weight: 10
 keywords: sso troubleshooting, single sign-on errors, authentication issues, identity provider problems
 tags: [Troubleshooting]
 toc_max: 2
diff --git a/content/manuals/enterprise/security/single-sign-on/_index.md b/content/manuals/enterprise/security/single-sign-on/_index.md
index a48866b973fa..fdae42699280 100644
--- a/content/manuals/enterprise/security/single-sign-on/_index.md
+++ b/content/manuals/enterprise/security/single-sign-on/_index.md
@@ -55,5 +55,5 @@ Using a PAT ensures continued CLI access. For more information, see the
 ## Next steps
 
 - Start [configuring SSO](connect.md).
-- Read the [FAQs](/manuals/enterprise/security/single-sign-on/faqs/general.md).
-- [Troubleshoot](/manuals/enterprise/troubleshoot/troubleshoot-sso.md) SSO issues.
+- Read the [FAQs](/enterprise/security/single-sign-on/faqs/general).
+- [Troubleshoot](/enterprise/security/single-sign-on/faqs/troubleshoot-sso/) SSO issues.
diff --git a/content/manuals/enterprise/security/single-sign-on/connect.md b/content/manuals/enterprise/security/single-sign-on/connect.md
index 87d0056e5d63..ff216eea7da3 100644
--- a/content/manuals/enterprise/security/single-sign-on/connect.md
+++ b/content/manuals/enterprise/security/single-sign-on/connect.md
@@ -259,4 +259,4 @@ Docker Hub. If you want to use 2FA, you must enable 2FA through your IdP.
 - [Provision users](/manuals/enterprise/security/provisioning/_index.md).
 - [Enforce sign-in](../enforce-sign-in/_index.md).
 - [Create personal access tokens](/manuals/enterprise/security/access-tokens.md).
-- [Troubleshoot SSO](/manuals/enterprise/troubleshoot/troubleshoot-sso.md) issues.
+- [Troubleshoot SSO](/enterprise/security/single-sign-on/faqs/troubleshoot-sso/) issues.
diff --git a/content/manuals/enterprise/troubleshoot/_index.md b/content/manuals/enterprise/troubleshoot/_index.md
deleted file mode 100644
index 76d4281d6f40..000000000000
--- a/content/manuals/enterprise/troubleshoot/_index.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-build:
-  render: never
-title: Troubleshoot
-weight: 40
-params:
-  sidebar:
-    group: Enterprise
----
\ No newline at end of file
diff --git a/content/manuals/unassociated-machines/_index.md b/content/manuals/unassociated-machines/_index.md
index bcfdf1974af2..52c43f6e13d5 100644
--- a/content/manuals/unassociated-machines/_index.md
+++ b/content/manuals/unassociated-machines/_index.md
@@ -163,7 +163,7 @@ organization in two ways:
     - Auto-provisioning: If you have verified domains with auto-provisioning
     enabled, users who sign in with a matching email domain will automatically
     be added to your organization. For more information on verifying domains and
-    auto-provisioning, see [Domain management](/manuals/enterprise/security/domain-management.md).
+    auto-provisioning, see [Domain management](/enterprise/security/provisioning/domain-management).
     - SSO user provisioning: If you have SSO configured with
     [Just-in-Time provisioning](/manuals/enterprise/security/provisioning/just-in-time.md),
     users who sign in through your SSO connection will automatically be added